Kubernetes Goat playground
What is this lab?
A guided Kubernetes playground for exploring cluster and workload security: namespaces, pods, services, RBAC, service accounts, risky pod settings, and exposure patterns that matter in real clusters.
What you will learn
- Core objects: pods, deployments, services, namespaces, service accounts
- Insecure workload settings (for example privileged containers, hostPath, exposed services)
- How weak RBAC and service account usage extend attack paths
- Reading manifests and relating them to runtime behavior
- Foundations for container and orchestration security assessments
Prerequisites
Tools
- Web browser and/or web terminal as provided by the lab
kubectlif exposed in your environment (optional; follow lab instructions)
Knowledge
- Basic container concepts
- Comfort with YAML at a skim level helps
Launch the lab
Open Kubernetes Goat in CSN Labs →
Getting started
- Start the lab and open the portal or terminal shown.
- Enumerate namespaces, pods, services, deployments, and service accounts.
- Inspect workload specs for security-relevant fields (security context, volumes, ports).
- Document what each workload can access before testing escalation ideas.
How to use this lab
- Compare manifests to observed behavior.
- Pay attention to RBAC bindings, service account tokens, and network exposure.
- Track findings as: resource, issue, impact, hardening recommendation.
Challenge themes
- Recon and mapping — namespaces, workloads, services, attack surface
- Insecure workload configuration — privileges, host paths, weak security contexts
- RBAC and service accounts — excessive permissions
- Container and node boundaries — configurations that weaken isolation
- Hardening — Pod Security Standards, network policies, least privilege
Scenarios
Scenario walkthroughs for this lab will be added here over time.
Safety and ethics
Use only clusters and credentials you are authorized to test.